Opensearch 3.1 new installation on single node - it is not starting up

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):

Describe the issue: Installing the 3.1 version of Open search in Redhat linux server , when i am trying to start it, it gives an exception error in the security plugin ( i am trying to use the Demo version)

Configuration:

Relevant Logs or Screenshots:

@ak_amkum19 can you please provide further details about the issue you are having. Including steps you took and any errors in the logs or during those steps.

I have tested locally on RedHat following the below steps and demo configuration works as expected:

1. Download tar file and untar it
2. Add env for OPENSEARCH_INITIAL_ADMIN_PASSWORD
3. Execute demo configuration: ./plugins/opensearch-security/tools/install_demo_configuration.sh
4. Start opensearch: ./bin/opensearch

I am installing the File via RPM. Is there a command to install the demo configuration file for RPM Downloads

@ak_amkum19 have you had a look at the docs

Can you provide any errors you are getting when you use this installation?

The default installation already includes the demo configuration.

Hi,

I am installing it in a Linux system using a RPM Package. I have uninstalled and tried to re-install opensearch.

Please find the error i am getting now

Job for opensearch.service failed because the control process exited with error code.
See “systemctl status opensearch.service” and “journalctl -xeu opensearch.service” for details.
[ ~]# sudo systemctl status opensearch
× opensearch.service - OpenSearch
Loaded: loaded (/usr/lib/systemd/system/opensearch.service; enabled; preset: disabled)
Active: failed (Result: exit-code) since Tue 2025-08-12 10:24:20 CEST; 27s ago
Docs: https://opensearch.org/
Process: 65419 ExecStartPre=/bin/mkdir -p /dev/shm/performanceanalyzer (code=exited, status=226/NAMESPACE)
CPU: 4ms

Aug 12 10:24:20 XXXXX systemd[1]: Starting OpenSearch…
Aug 12 10:24:20 XXXXXXX systemd[65419]: opensearch.service: Failed to set up mount namespacing: /run/systemd/unit-root/var/lib/opensearch: No such f>
Aug 12 10:24:20 XXX systemd[65419]: opensearch.service: Failed at step NAMESPACE spawning /bin/mkdir: No such file or directory
Aug 12 10:24:20 XXXXXX systemd[1]: opensearch.service: Control process exited, code=exited, status=226/NAMESPACE
Aug 12 10:24:20 XXXXXX systemd[1]: opensearch.service: Failed with result ‘exit-code’.
Aug 12 10:24:20 XXXXX systemd[1]: Failed to start OpenSearch

Is there a need to do Signature verification before installing. i have not done it.

@ak_amkum19 which linux are you using? Can you provide the commands you used to install it please.

I am using Red hat Linux 9.6 version . I have used the following commands to install the opensearch as a RPM Package. This is the command i am using for installing Opensearch

sudo env OPENSEARCH_INITIAL_ADMIN_PASSWORD=ent.txt rpm -ivh opensearch-3.1.0-linux-x64.rpm

After running the command it says, installed . but when i check the status of opensearch i get Exception errors, which i have mentioned above.

Thanks AK

Please find the logs ..

sudo systemctl start opensearch
Job for opensearch.service failed because the control process exited with error code.
See “systemctl status opensearch.service” and “journalctl -xeu opensearch.service” for details.
[root@XXXXX ~]# sudo systemctl status opensearch
× opensearch.service - OpenSearch
Loaded: loaded (/usr/lib/systemd/system/opensearch.service; enabled; preset: disabled)
Active: failed (Result: exit-code) since Tue 2025-08-12 18:21:26 CEST; 51s ago
Docs: https://opensearch.org/
Process: 162700 ExecStartPre=/bin/mkdir -p /dev/shm/performanceanalyzer (code=exited, status=0/SUCCESS)
Process: 162701 ExecStartPre=/bin/chown opensearch:opensearch /dev/shm/performanceanalyzer (code=exited, status=0/SUCCESS)
Process: 162702 ExecStart=/usr/share/opensearch/bin/systemd-entrypoint -p ${PID_DIR}/opensearch.pid --quiet (code=exited, status=1/FAILURE)
Main PID: 162702 (code=exited, status=1/FAILURE)
CPU: 12.650s

Aug 12 18:21:25 XXXX opensearch[162702]: at org.opensearch.common.cli.EnvironmentAwareCommand.execute(EnvironmentAwareCommand.java:110)
Aug 12 18:21:25 IXXXX1 opensearch[162702]: at org.opensearch.cli.Command.mainWithoutErrorHandling(Command.java:138)
Aug 12 18:21:25 XXXX opensearch[162702]: at org.opensearch.cli.Command.main(Command.java:101)
Aug 12 18:21:25 XXXX opensearch[162702]: at org.opensearch.bootstrap.OpenSearch.main(OpenSearch.java:125)
Aug 12 18:21:25 XXXXX opensearch[162702]: at org.opensearch.bootstrap.OpenSearch.main(OpenSearch.java:91)
Aug 12 18:21:25 XXXXX opensearch[162702]: For complete error details, refer to the log at /var/log/opensearch/opensearch.log
Aug 12 18:21:26 XXXX systemd[1]: opensearch.service: Main process exited, code=exited, status=1/FAILURE
Aug 12 18:21:26 XXXXX systemd[1]: opensearch.service: Failed with result ‘exit-code’.
Aug 12 18:21:26 XXXXX systemd[1]: Failed to start OpenSearch.

Please find the error logs from the opensearch.log file

Dopensearch.distribution.type=rpm, -Dopensearch.bundled_jdk=true]
[2025-08-12T18:16:27,977][WARN ][stderr ] [xxxx] Aug 12, 2025 6:16:27 PM org.apache.lucene.internal.vectorization.PanamaVectorizationProvider
[2025-08-12T18:16:27,977][WARN ][stderr ] [xxxx1] INFO: Java vector incubator API enabled; uses preferredBitSize=512; FMA enabled
[2025-08-12T18:16:28,577][INFO ][o.o.s.s.t.SSLConfig ] [xxxx1] SSL dual mode is disabled
[2025-08-12T18:16:28,577][INFO ][o.o.s.OpenSearchSecurityPlugin] [xxxxx1] OpenSearch Config path is /etc/opensearch
[2025-08-12T18:16:28,911][ERROR][o.o.b.Bootstrap ] [xxxx] Exception
java.lang.IllegalStateException: failed to load plugin class [org.opensearch.security.OpenSearchSecurityPlugin]
at org.opensearch.plugins.PluginsService.loadPlugin(PluginsService.java:881) ~[opensearch-3.1.0.jar:3.1.0]
at org.opensearch.plugins.PluginsService.loadBundle(PluginsService.java:820) ~[opensearch-3.1.0.jar:3.1.0]
at org.opensearch.plugins.PluginsService.loadBundles(PluginsService.java:615) ~[opensearch-3.1.0.jar:3.1.0]
at org.opensearch.plugins.PluginsService.(PluginsService.java:229) ~[opensearch-3.1.0.jar:3.1.0]
at org.opensearch.node.Node.(Node.java:536) ~[opensearch-3.1.0.jar:3.1.0]
at org.opensearch.node.Node.(Node.java:464) ~[opensearch-3.1.0.jar:3.1.0]
at org.opensearch.bootstrap.Bootstrap$5.(Bootstrap.java:249) ~[opensearch-3.1.0.jar:3.1.0]
at org.opensearch.bootstrap.Bootstrap.setup(Bootstrap.java:249) ~[opensearch-3.1.0.jar:3.1.0]
at org.opensearch.bootstrap.Bootstrap.init(Bootstrap.java:411) [opensearch-3.1.0.jar:3.1.0]
at org.opensearch.bootstrap.OpenSearch.init(OpenSearch.java:168) [opensearch-3.1.0.jar:3.1.0]
at org.opensearch.bootstrap.OpenSearch.execute(OpenSearch.java:159) [opensearch-3.1.0.jar:3.1.0]
at org.opensearch.common.cli.EnvironmentAwareCommand.execute(EnvironmentAwareCommand.java:110) [opensearch-3.1.0.jar:3.1.0]
at org.opensearch.cli.Command.mainWithoutErrorHandling(Command.java:138) [opensearch-cli-3.1.0.jar:3.1.0]
at org.opensearch.cli.Command.main(Command.java:101) [opensearch-cli-3.1.0.jar:3.1.0]
at org.opensearch.bootstrap.OpenSearch.main(OpenSearch.java:125) [opensearch-3.1.0.jar:3.1.0]
at org.opensearch.bootstrap.OpenSearch.main(OpenSearch.java:91) [opensearch-3.1.0.jar:3.1.0]
Caused by: java.lang.reflect.InvocationTargetException
at java.base/jdk.internal.reflect.DirectConstructorHandleAccessor.newInstance(DirectConstructorHandleAccessor.java:74) ~[?:?]
at java.base/java.lang.reflect.Constructor.newInstanceWithCaller(Constructor.java:502) ~[?:?]
at java.base/java.lang.reflect.Constructor.newInstance(Constructor.java:486) ~[?:?]
“opensearch.log” 200L, 22558B

@ak_amkum19 this seems to be related to your specific environment, have you had a look at this post. There are possible solutions listed there.

I was able to solve the namespace problem. Now i am struck with the following error

2025-08-12T18:47:51,923\]\[INFO \]\[o.o.s.s.t.SSLConfig      \] \[node-1\] SSL dual mode is disabled
\[2025-08-12T18:47:51,923\]\[INFO \]\[o.o.s.OpenSearchSecurityPlugin\] \[node-1\] OpenSearch Config path is /etc/opensearch
\[2025-08-12T18:47:52,271\]\[ERROR\]\[o.o.b.Bootstrap          \] \[node-1\] Exception
java.lang.IllegalStateException: failed to load plugin class \[org.opensearch.security.OpenSearchSecurityPlugin\]
at org.opensearch.plugins.PluginsService.loadPlugin(PluginsService.java:881) \~\[opensearch-3.1.0.jar:3.1.0\]
at org.opensearch.plugins.PluginsService.loadBundle(PluginsService.java:820) \~\[opensearch-3.1.0.jar:3.1.0\]
at org.opensearch.plugins.PluginsService.loadBundles(PluginsService.java:615) \~\[opensearch-3.1.0.jar:3.1.0\]
at org.opensearch.plugins.PluginsService.(PluginsService.java:229) \~\[opensearch-3.1.0.jar:3.1.0\]
at org.opensearch.node.Node.(Node.java:536) \~\[opensearch-3.1.0.jar:3.1.0\]
at org.opensearch.node.Node.(Node.java:464) \~\[opensearch-3.1.0.jar:3.1.0\]
at org.opensearch.bootstrap.Bootstrap$5.(Bootstrap.java:249) \~\[opensearch-3.1.0.jar:3.1.0\]
at org.opensearch.bootstrap.Bootstrap.setup(Bootstrap.java:249) \~\[opensearch-3.1.0.jar:3.1.0\]
at org.opensearch.bootstrap.Bootstrap.init(Bootstrap.java:411) \[opensearch-3.1.0.jar:3.1.0\]
at org.opensearch.bootstrap.OpenSearch.init(OpenSearch.java:168) \[opensearch-3.1.0.jar:3.1.0\]
at org.opensearch.bootstrap.OpenSearch.execute(OpenSearch.java:159) \[opensearch-3.1.0.jar:3.1.0\]
at org.opensearch.common.cli.EnvironmentAwareCommand.execute(EnvironmentAwareCommand.java:110) \[opensearch-3.1.0.jar:3.1.0\]
at org.opensearch.cli.Command.mainWithoutErrorHandling(Command.java:138) \[opensearch-cli-3.1.0.jar:3.1.0\]
at org.opensearch.cli.Command.main(Command.java:101) \[opensearch-cli-3.1.0.jar:3.1.0\]
at org.opensearch.bootstrap.OpenSearch.main(OpenSearch.java:125) \[opensearch-3.1.0.jar:3.1.0\]
at org.opensearch.bootstrap.OpenSearch.main(OpenSearch.java:91) \[opensearch-3.1.0.jar:3.1.0\]
Caused by: java.lang.reflect.InvocationTargetException
at java.base/jdk.internal.reflect.DirectConstructorHandleAccessor.newInstance(DirectConstructorHandleAccessor.java:74) \~\[?:?\]
at java.base/java.lang.reflect.Constructor.newInstanceWithCaller(Constructor.java:502) \~\[?:?\]
at java.base/java.lang.reflect.Constructor.newInstance(Constructor.java:486) \~\[?:?\]
at org.opensearch.plugins.PluginsService.loadPlugin(PluginsService.java:872) \~\[opensearch-3.1.0.jar:3.1.0\]
… 15 more
Caused by: org.opensearch.OpenSearchException: No SSL configuration found
at org.opensearch.security.ssl.SslSettingsManager.loadConfigurations(SslSettingsManager.java:128) \~\[?:?\]
at org.opensearch.security.ssl.SslSettingsManager.buildSslContexts(SslSettingsManager.java:96) \~\[?:?\]
at org.opensearch.security.ssl.SslSettingsManager.(SslSettingsManager.java:83) \~\[?:?\]
at org.opensearch.security.ssl.OpenSearchSecuritySSLPlugin.(OpenSearchSecuritySSLPlugin.java:248) \~\[?:?\]
at org.opensearch.security.OpenSearchSecurityPlugin.(OpenSearchSecurityPlugin.java:347) \~\[?:?\]
at java.base/jdk.internal.reflect.DirectConstructorHandleAccessor.newInstance(DirectConstructorHandleAccessor.java:62) \~\[?:?\]
at java.base/java.lang.reflect.Constructor.newInstanceWithCaller(Constructor.java:502) \~\[?:?\]
at java.base/java.lang.reflect.Constructor.newInstance(Constructor.java:486) \~\[?:?\]
at org.opensearch.plugins.PluginsService.loadPlugin(PluginsService.java:872) \~\[opensearch-3.1.0.jar:3.1.0\]
… 15 more
\[2025-08-12T18:47:52,276\]\[ERROR\]\[o.o.b.OpenSearchUncaughtExceptionHandler\] \[node-1\] uncaught exception in thread \[main\]
org.opensearch.bootstrap.StartupException: java.lang.IllegalStateException: failed to load plugin class \[org.opensearch.security.OpenSearchSecurityPlugin\]
at org.opensearch.bootstrap.OpenSearch.init(OpenSearch.java:172) \~\[opensearch-3.1.0.jar:3.1.0\]
“my-application.log” 208L, 23169B

i think i have some issue with my opensearch.yml file or the demo configuration certs. can u plz let me know a example opensearch.yml file

@ak_amkum19 It seems that the demo security script didn’t run. Or ran with errors. Can you check if the certificates have been generated, if not you will need to do this yourself. I can provide the commands if necessary, but I would suggest using a TLStool for this.

The basic opensearch.yml file with security enabled looks like this, (note the use of certificates which need to be present in /etc/opensearch directory):

# ======================== OpenSearch Configuration =========================
#
# NOTE: OpenSearch comes with reasonable defaults for most settings.
#       Before you set out to tweak and tune the configuration, make sure you
#       understand what are you trying to accomplish and the consequences.
#
# The primary way of configuring a node is via this file. This template lists
# the most important settings you may want to configure for a production cluster.
#
# Please consult the documentation for further information on configuration options:
# https://www.opensearch.org
#
# ---------------------------------- Cluster -----------------------------------
#
# Use a descriptive name for your cluster:
#
#cluster.name: my-application
#
# ------------------------------------ Node ------------------------------------
#
# Use a descriptive name for the node:
#
#node.name: node-1
#
# Add custom attributes to the node:
#
#node.attr.rack: r1
#
# ----------------------------------- Paths ------------------------------------
#
# Path to directory where to store the data (separate multiple locations by comma):
#
#path.data: /path/to/data
#
# Path to log files:
#
#path.logs: /path/to/logs
#
# ----------------------------------- Memory -----------------------------------
#
# Lock the memory on startup:
#
#bootstrap.memory_lock: true
#
# Make sure that the heap size is set to about half the memory available
# on the system and that the owner of the process is allowed to use this
# limit.
#
# OpenSearch performs poorly when the system is swapping the memory.
#
# ---------------------------------- Network -----------------------------------
#
# Set the bind address to a specific IP (IPv4 or IPv6):
#
#network.host: 192.168.0.1
#
# Set a custom port for HTTP:
#
#http.port: 9200
#
# For more information, consult the network module documentation.
#
# --------------------------------- Discovery ----------------------------------
#
# Pass an initial list of hosts to perform discovery when this node is started:
# The default list of hosts is ["127.0.0.1", "[::1]"]
#
#discovery.seed_hosts: ["host1", "host2"]
#
# Bootstrap the cluster using an initial set of cluster-manager-eligible nodes:
#
#cluster.initial_cluster_manager_nodes: ["node-1", "node-2"]
#
# For more information, consult the discovery and cluster formation module documentation.
#
# ---------------------------------- Gateway -----------------------------------
#
# Block initial recovery after a full cluster restart until N nodes are started:
#
#gateway.recover_after_data_nodes: 3
#
# For more information, consult the gateway module documentation.
#
# ---------------------------------- Various -----------------------------------
#
# Require explicit names when deleting indices:
#
#action.destructive_requires_name: true
#
# ---------------------------------- Remote Store -----------------------------------
# Controls whether cluster imposes index creation only with remote store enabled
# cluster.remote_store.enabled: true
#
# Repository to use for segment upload while enforcing remote store for an index
# node.attr.remote_store.segment.repository: my-repo-1
#
# Repository to use for translog upload while enforcing remote store for an index
# node.attr.remote_store.translog.repository: my-repo-1
#
# ---------------------------------- Experimental Features -----------------------------------
# Gates the visibility of the experimental segment replication features until they are production ready.
#
#opensearch.experimental.feature.segment_replication_experimental.enabled: false
#
# Gates the functionality of a new parameter to the snapshot restore API
# that allows for creation of a new index type that searches a snapshot
# directly in a remote repository without restoring all index data to disk
# ahead of time.
#
#opensearch.experimental.feature.searchable_snapshot.enabled: false
#
#
# Gates the functionality of enabling extensions to work with OpenSearch.
# This feature enables applications to extend features of OpenSearch outside of
# the core.
#
#opensearch.experimental.feature.extensions.enabled: false
#
#
# Gates the optimization of datetime formatters caching along with change in default datetime formatter
# Once there is no observed impact on performance, this feature flag can be removed.
#
#opensearch.experimental.optimization.datetime_formatter_caching.enabled: false


######## Start OpenSearch Security Demo Configuration ########
# WARNING: revise all the lines below before you go into production
plugins.security.ssl.transport.pemcert_filepath: esnode.pem
plugins.security.ssl.transport.pemkey_filepath: esnode-key.pem
plugins.security.ssl.transport.pemtrustedcas_filepath: root-ca.pem
plugins.security.ssl.transport.enforce_hostname_verification: false
plugins.security.ssl.http.enabled: true
plugins.security.ssl.http.pemcert_filepath: esnode.pem
plugins.security.ssl.http.pemkey_filepath: esnode-key.pem
plugins.security.ssl.http.pemtrustedcas_filepath: root-ca.pem
plugins.security.allow_unsafe_democertificates: true
plugins.security.allow_default_init_securityindex: true
plugins.security.authcz.admin_dn: ['CN=kirk,OU=client,O=client,L=test,C=de']
plugins.security.audit.type: internal_opensearch
plugins.security.enable_snapshot_restore_privilege: true
plugins.security.check_snapshot_restore_write_privileges: true
plugins.security.restapi.roles_enabled: [all_access, security_rest_api_access]
plugins.security.system_indices.enabled: true
plugins.security.system_indices.indices: [.plugins-ml-agent, .plugins-ml-config, .plugins-ml-connector,
  .plugins-ml-controller, .plugins-ml-model-group, .plugins-ml-model, .plugins-ml-task,
  .plugins-ml-conversation-meta, .plugins-ml-conversation-interactions, .plugins-ml-memory-meta,
  .plugins-ml-memory-message, .plugins-ml-stop-words, .opendistro-alerting-config,
  .opendistro-alerting-alert*, .opendistro-anomaly-results*, .opendistro-anomaly-detector*,
  .opendistro-anomaly-checkpoints, .opendistro-anomaly-detection-state, .opendistro-reports-*,
  .opensearch-notifications-*, .opensearch-notebooks, .opensearch-observability, .ql-datasources,
  .opendistro-asynchronous-search-response*, .replication-metadata-store, .opensearch-knn-models,
  .geospatial-ip2geo-data*, .plugins-flow-framework-config, .plugins-flow-framework-templates,
  .plugins-flow-framework-state, .plugins-search-relevance-experiment, .plugins-search-relevance-judgment-cache]
network.host: 0.0.0.0
node.name: smoketestnode
cluster.initial_cluster_manager_nodes: smoketestnode
node.max_local_storage_nodes: 3
######## End OpenSearch Security Demo Configuration ########

Hi @Anthony ,

You are correct, the demo security script didnt run. i tried to run it gave me the error “could not find java in JAVA_HOME at /usr/lib/jvm/java-17-openjdk-17.0.13.0.11-4.el9.x86_64/bin/java:

@ak_amkum19 There is a build in JDK, you can set env

OPENSEARCH_JAVA_HOME=/usr/share/opensearch/jdk

There are some more details about this in the docs here

Thanks , i was able to solve the issue with the java. i am trying to run the “./install_demo_configuration.sh” it throws me an password error .

./install_demo_configuration.sh

### OpenSearch Security Demo Installer

### \*\* Warning: Do not use on production or public reachable systems \*\*

Install demo certificates? \[y/N\] y
Initialize Security Modules? \[y/N\] y
Cluster mode requires additional setup of:

* Virtual memory (vm.max_map_count)

Enable cluster mode? \[y/N\] y
OpenSearch install type: rpm/deb on Linux 5.14.0-570.21.1.el9_6.x86_64 amd64
OpenSearch config dir: /etc/opensearch/
OpenSearch config file: /etc/opensearch/opensearch.yml
OpenSearch bin dir: /usr/share/opensearch/bin/
OpenSearch plugins dir: /usr/share/opensearch/plugins/
OpenSearch lib dir: /usr/share/opensearch/lib/
Detected OpenSearch Version: 3.1.0
Detected OpenSearch Security Version: 3.1.0.0
No custom admin password found. Please provide a password via the environment variable OPENSEARCH_INITIAL_ADMIN_PASSWORD

where should i add a env variable . i have created a env file in the place where i wanted to install the opensearch( in a different Disk) of the machine

@ak_amkum19 I would recommend to try to get this working without using a password in a file first.

Can you run below:

sudo env OPENSEARCH_INITIAL_ADMIN_PASSWORD=<stromg_password> \
  /usr/share/opensearch/plugins/opensearch-security/tools/install_demo_configuration.sh -y

@Anthony thanks for the message. i was able to run it and it said the password has been set successfully .

### OpenSearch Security Demo Installer

### \*\* Warning: Do not use on production or public reachable systems \*\*

OpenSearch install type: rpm/deb on Linux 5.14.0-570.21.1.el9_6.x86_64 amd64
OpenSearch config dir: /etc/opensearch/
OpenSearch config file: /etc/opensearch/opensearch.yml
OpenSearch bin dir: /usr/share/opensearch/bin/
OpenSearch plugins dir: /usr/share/opensearch/plugins/
OpenSearch lib dir: /usr/share/opensearch/lib/
Detected OpenSearch Version: 3.1.0
Detected OpenSearch Security Version: 3.1.0.0
Admin password set successfully.

### Success

### Execute this script now on all your nodes and then start all nodes

### After the whole cluster is up execute:

sudo “/usr/share/opensearch/plugins/opensearch-security/tools/securityadmin.sh” -cd “/etc/opensearch/opensearch-security” -icl -key “/etc/opensearch/kirk-key.pem” -cert “/etc/opensearch/kirk.pem” -cacert “/etc/opensearch/root-ca.pem” -nhnv

### or run ./securityadmin_demo.sh

### After that you can also use the Security Plugin ConfigurationGUI

### To access your secured cluster open https://: and log in with admin/.

### (Ignore the SSL certificate warning because we installed self-signed demo certificates)